6 rules to avoid disaster: a practical guide to phishing and spear-phishing

A chain is only as strong as its weakest link. Are you that link?

Hackers don’t come in through the firewall. They come in, most of the time, through a much easier route: the staff. How? By exploiting basic psychology, and being prepared to do a little research. The easiest way to get someone’s password isn’t to guess it, or steal it, or decrypt it. It’s to ask for it.

So, what are the practical tricks to avoiding being the next headline?

Phishing

Let’s look at phishing first. In this case, the hackers have done no research; all they have is your email address. They’re not targeting you personally, they’re casting a wide net and hoping to catch some fish. All phishing relies on you following the instructions in an email; those instructions may lead to you opening a document which contains malicious code that will infect your PC; they may take you to a website that has the same effect; or they may ask you to login to a website which will look very much like the one you thought you were visiting, but which in fact exists only to harvest your username and password.

The key question is ‘how do they get you to do as they say?’

This is where the psychology comes in. What they’re trying to do is get you to act in haste, so that you don’t take the time to check the email, website or document properly. So they’ll either try to panic you – pretending to be official and suggesting that you’ve been defrauded, or are under some kind of legal investigation – or they’ll appeal to your greed, implying that if you act quickly you may be in line for some free money, or some other prize.

Rule 1: don’t panic. Always take your time to think about what you’re being asked to do, and whether there may be risks involved. Act in haste, repent at leisure, as they say.

Rule 2: verify the origin. Look closely at the email. What was the sender’s email address? Is it mis-spelled? Is it from a very similar domain to the one you were expecting, but not actually identical? Find a genuine email from the same source and compare them.

Rule 3: reverse the psychology. Is this how the real world would behave? Does HMRC contact tax payers by email to tell them they owe unexpected tax – or are due a rebate? Would PayPal bully you into acting NOW? Are you really likely to have won a lottery you don’t remember entering; are there really promotions giving away a million dollars to randomly selected email users? No. HMRC send you terrifying brown envelopes by snail mail. PayPal treat you like a customer. Lotteries exist to make a profit.

Rule 4: do they know enough? Anyone who claims you owe them money, or are under investigation, would know your name. So would your bank, credit card company, the tax man, PayPal and so on. So if the email begins “Dear customer” or “Dear cardholder” or some such formulation, ask yourself why. This lack of personal information is a key red flag for phishing emails.

Rule 5: verify the action. For preference, don’t click on the link in the email. Instead, go to a browser and type in the correct link for the relevant organisation, then log in as you normally would. If there really is something they need you to do, it’ll be visible in your account. If you are determined to click the link, hover over it first and check – really carefully – that it goes where you think it does. http://paypal.co.uk.security.fraud-prevention/dodgymalware.com is not the same as http://paypal.co.uk/security/fraud-prevention. Everything apart from the actual domain name and extension (paypal.co.uk or dodgymalware.com) can be anything the hacker wants it to be. If there’s a document instead, and you weren’t expecting it, my broad advice would be to delete the email; there’s just too much risk opening documents (especially Word documents, PDFs and – obviously – program files) from unknown sources. Don’t rely on your virus scanner.

Rule 6: the real world can be hacked too. Don’t trust phone numbers in emails that make you suspicious. Go look up the real phone number and call that. If you Google for it, check carefully that you’re getting the correct result. Better, again, to find a previous innocuous email from the same company, or go to their website (by typing it in) and getting it there. There’s a whole separate topic on other phone-number scams that are operating at the moment, which I’ll cover in a later post.

Spear-phishing

On to spear-phishing. This is a whole different game. In this case, the hackers are coming after you, personally. They will have researched you. Thank you, Facebook, LinkedIn, Twitter, Instagram et al – it’s just so easy now to build up a detailed profile of a target. They know your name, where you work, what you do, whom you report to, who your friends are – at work and outside it – what your interests are, whether you have kids, where you live (at least broadly) and so on.

You may not be the ultimate target. They may be using you just to get inside your organisation, so that they can install some malware that captures keystrokes, or maps the network, or filters email, as a precursor to a bigger hack.

Or they might be after you. They might know that you have a property purchase coming up (because they’ve already hacked your email after you fell for a plain phishing scam); they might know that your company is engaged in expanding into developing markets and has cash to burn; they might have worked out that you’re likely to have the admin credentials for the main corporate database.

Spear-phishing is still about psychology. They want you to do something that will damage you; the difference is that they can defeat the easy tests, like rule 4 above, since they know all about you. They can exploit your desire to do your job and impress your bosses, rather than using simpler fear and greed triggers. And they’ll usually make it look like the email comes from someone on the inside, rather than a third party.

All the other rules still work, especially Rule 3. Would your boss really ask you to do this? Does the SEC really require you to restrict correspondence about a company deal to a non-company account? Is it really this urgent? If it was, wouldn’t your correspondent have phoned? Would your IT support really ask you to email them your username and password, or go and ‘verify’ them at some complicated portal address?

But we need a replacement rule 4. Here it is:

Rule 4b: be a pain in the arse. Stick to procedure. If there isn’t a procedure, create one. If someone asks you to do anything that feels like a security risk – like, oh, I don’t know, transferring $17m to a random account in China on the QT – phone them, get them to authorise it properly. If the IT desk apparently calls asking for your password, call them back, ask for a supervisor. If the bank calls, hang up, then call them back – from a different phone if you can’t be sure the call dropped. The more they’re trying to rush you or threaten you with consequences, the more bull-headed you need to be.

You may not make yourself popular to begin with. But when the penny drops with senior management – as we all hope it eventually will – that you could have saved the company millions, that might just change.